Understanding Content-Security-Policy

WorkinOnIt

• March 10, 2021 22:49

I am interested to prevent click jacking on my customer's website that is hosted in cPanel. This help article seems to suggest you can simply add a line to the .htaccess file - but is it referring to the one in the public_html/ folder or at the server level ? I want to target this policy to individual sites / or alias / parked domains on a single site. [QUOTE] Apache Content-Security-Policy Header Add the following to your httpd.conf in your VirtualHost or in an .htaccess file: Header set Content-Security-Policy "default-src 'self';"
I also found

• 

  ZenHostingTravis

  • March 11, 2021 04:16

  Hi @WorkinOnIt, There are some tips in the following thread's posts that show how to disable clickjacking using your .htaccess file.

  0
• 

  egranty

  • March 11, 2021 18:16

  [QUOTE]This help article ([COLOR=rgb(0, 0, 0)https://content-security-policy.com/) seems to suggest you can simply add a line to the .htaccess
  
  Unfortunately pointed website is poorly versed in the subject. Simply adding a line to the .htaccess
  could have an awful consequences.. 1. It's more safer to wrap headers into
  block in case of mod_headers is not installed with Apache. It's not relevant for cpanel.net
  , but could be relevant for others, otherwise you'll get error with 500 code: Header set Content-Security-Policy "frame-ansectors 'self'" Header set X-Frame-Options "DENY"
  2. Headers from .htaccess
  will be published with all files (any of MIME types). This leads your PDF files and media files Header set Content-Security-Policy "... directives here ..."
  to exclude some MIME-types not to be accompanied by CSP headers. It can be actual for workers, because for these Firefox

  0
• 

  cPRex Jurassic Moderator

  • March 11, 2021 18:45

  Thanks for the post, @ZenHostingTravis !

  0
• 

  WorkinOnIt

  • March 11, 2021 18:58

  Very helpful, thanks all @egranty some typos in your example. Here is what I am currently doing: Header set Content-Security-Policy "frame-ancestors 'self'"
  However, this helpful,

  0
• 

  WorkinOnIt

  • March 12, 2021 03:14

  OK I solved all the issues now - I am using this in my .htaccess: Header set Content-Security-Policy "frame-ancestors 'self'; upgrade-insecure-requests; default-src 'self'; script-src 'self' data: cdnjs.cloudflare.com Analytics Tools & Solutions for Your Business - Google Analytics reCAPTCHA https://googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; object-src 'self'; frame-src data: google.com; img-src 'self' data: gstatic.com; font-src 'self' fonts.gstatic.com; connect-src 'self' base-uri 'self'; form-action 'self'; worker-src 'none';"
  However, I am not sure if I am supposed to wrap the above in the ??? Also - on the front end of the site is a WordPress installation. Currently I am not applying the above to that - but only to the folder "example.com/customers" - as this is a folder where customers login. Would it be better to add the CSP to the entire site? I did briefly try to add it to Wordpress - but there were dozens of scripts that were suddenly not loading. It seems like adding each script to the SRC and CONNECT parameters would be a very long job. Here is a useful site to use as a checker:

  0

Please sign in to leave a comment.